Hey guys I'm running Xp home and I out of nowhere on it's next boot there was the blue screen.
"STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0x00000000 (0x00000000 0x00000000).
The system has been shut down"
Now safe mode alone works. I've tried removing the battery and memory. But it still looks like it didn't help much although there was one time when It worked properly.. Strange... So anyways that one time when I was able to get it, I ran AVG and I found over 100 viruses/ threats. One of the first listing winlogon.exe
Now after the scan I rebooted and it was back to first base. So then through safe mode I used AVG and I ran another scan and it looks like it found it again. But no luck on the next reboot. My guess is I have a virus in winlogon an that's why it can't boot after the windows loading screen. As you can see I'm not the best at removing viruses manually, and I would really appreciate the help. Thx.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Also, send us your HijackThis (http://www.trendsecure.co
Good news is I DO have restore points. Bad news is once I'm on the "Confirm Restore Point Selection" screen the Next button is non responsive and I can't get anywhere. Also I am in safe mode since I got no other option and I can't give you my HJT file since I have no internet access.. It stinks. Any ideas?
Just in case, here is some help on using the System Restore
http://www.bleeping
No
Not sure why you cannot do the system restore but found this on the internet.
Some other people had problems with system restore. If you're comfortable with regedit, you can check the values and see if something is different.
http://www.kelly
From all the comments and symptoms above, the reason for System Restore not working is probably because the machine is still heavily infected.
Suggest you re-try downloading ComboFix:
http://download.bleepingco
Can you access another computer to download ComboFix, and burn it to a CD or other media ?
If you can, before using ComboFix, please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.
Also it may be necessary to rename ComboFix (to ComboFix5 for example) before saving it to your desktop. If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent). Rename it, and connect to the problematic machine.
Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall. It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins. Just let it run.
It works well in normal mode or safe mode.
An alternative would be to remove the infected HD, connect it as 'slave' in another machine, then run ComboFix from the new machine.
You could look for the minidump(s) in both these places>
c:\windows\minidump\
or %systemroot%\minidump\
Can you paste the latest dump(s) in the "Attach Code Snippet" box
It's preferable to have at least three if you can locate any, then you could zip them before attaching.
If you see no minidump>
Enable Minidump's in Windows XP:
http://www.cakewalk.com/Su
Also try My Computer>Properties>Advanced
Are the boxes under 'Settings' checked, & 'small memory dump' selected?
[Or, see if you have a Dump Check Utility or a related Dumpchk.exe file, there could be a minidump located there].
Absence of Minidumps can be due to deteriorating motherboard capacitors, or unstable/flakey power supply.
I wish you had listed the viruses found by AVG; but, from your description can almost guaranty you have VIRUT/VIRUX/SCRIBBLEA. Since it infects every executable on your system and downloads several other secobdary infestations, the only sure fix is to use the factory recovery option, either from your CD's or by using the function key option before booting.
Be warned that you need to backup any files you don't want to lose (Email, pictures, music, documents, taxes, etc) beforehand and will need to install all of your software again.
Even if you got a system restore to work, it would infect those files during the reboot.
Here is another thread: http://www.experts-exchang
hey guys sorry for the late response. I work every single day and the only time i get to work on it is after work, and it just gets really tiring so it took me forever to get this for you guys. Its really crazy... i managed to run combo fix on safe mode. I can now get past to the desktop in standard startup, but after about 3 min i get a memory dump? Looks like i still owe you a minidump log... thats what i will be working on. Anyways.. it looks like my computer is really infected. So heres some logs i attached.. HJT, ComboFix, and i somehow managed to get an AVG log which was the first one. I appreciate the help guys.. thx.
Also, did you run Malwarebytes? These items are suspicious in your HijackThis log:
O2 - BHO: C:\WINDOWS\system32\gwsh3b
O4 - HKLM\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlognn.e
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\msrsta
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\3361\
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [CPMaba12e3a] Rundll32.exe "c:\windows\system32\mufaz
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\3361\
O4 - HKCU\..\Run: [comidle] "C:\Documents and Settings\Doina\Application
O4 - HKCU\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlognn.e
O4 - HKCU\..\Run: [efk8muzw08jrth580cmws2npa
O4 - HKCU\..\Run: [sh9qg2qywi77xkp1x] C:\DOCUME~1\Doina\LOCALS~1
O4 - HKCU\..\Run: [vp6m9tyqvcpu31gg5pfwqnyjz
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Doina\reader_s.ex
O4 - HKCU\..\Run: [v5ddnnvynttm1l7ok] C:\DOCUME~1\Doina\LOCALS~1
O4 - HKCU\..\Run: [vn2lzachu2l6zz6g9v] C:\DOCUME~1\Doina\LOCALS~1
O4 - HKCU\..\Run: [bvtbmn0k0tiaqeb4e5sboy738
O4 - HKCU\..\Run: [lzhvt1aivyqyskuvyqv71njdw
O4 - HKLM\..\Policies\Explorer\
O4 - HKLM\..\Policies\Explorer\
O4 - HKUS\S-1-5-18\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlognn.e
O4 - HKUS\S-1-5-18\..\Run: [c3ef60fn00uqsvyukxsr] C:\WINDOWS\TEMP\uhjtax.exe
O4 - HKUS\S-1-5-18\..\Run: [kn8twuae71kfelf39puhjfhe4
O4 - HKUS\S-1-5-18\..\Run: [tcsu3fvi8k9ig1ulo11xlwgp1
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Doina\reader_s.ex
O4 - HKUS\S-1-5-18\..\Run: [comidle] "C:\Documents and Settings\Doina\Application
O4 - HKUS\S-1-5-18\..\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ikxqedjgvt74hzx1cd8m99] C:\WINDOWS\TEMP\c6az0wy50z
O4 - HKUS\S-1-5-18\..\Run: [kyuu1x56ysizqewgbnxwnjln8
O4 - HKUS\S-1-5-18\..\Run: [tjbtafqs.exe] C:\WINDOWS\tjbtafqs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR
O4 - HKUS\.DEFAULT\..\Policies\
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dl
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dl
O20 - Winlogon Notify: yayvVOef - yayvVOef.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E
O22 - SharedTaskScheduler: har78w3uhewf8yurhefd - {C5AF42A3-94F3-42BD-F634-3
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E
O23 - Service: afisicx - Unknown owner - C:\WINDOWS\system32\afisic
O23 - Service: mabidwe - Unknown owner - C:\WINDOWS\system32\mabidw
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidk
The machine was heavily infected & Combo has removed a lot.
From the HijackThis log there are signs of a Vundo infection. With this infection the ComboFix log often shows bad entries that ComboFix was unable to remove, so it may yet be necessary to use its CFScript feature.
However, Housecall will find and remove a Vundo trojan, it's worth trying>
"Trend Micro's FREE online virus scanner":
http://housecall.trendmicr
Ideal for scanning online, using "Safe Mode with networking".
If unsuccessful try downloading VundoFix 7.0.6 >>
http://www.softpedia.com/g
To use VundoFix please follow the instructions written below>>
· Please download VundoFix.exe to your desktop.
· Double-click VundoFix.exe to run it.
· Put a check next to Run VundoFix as a task.
· You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
· When VundoFix re-opens, click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click YES
· Once you click yes, your desktop will go blank as it starts removing Vundo.
· When completed, it will prompt that it will shutdown your computer, click OK.
· Turn your computer back on.
Another option is to follow that last suggestion with the Kaspersky free online virus scanner, which is a good way to find out if you have any viruses or spyware without having to uninstall your existing antivirus software>
http://www.kaspersky.co.uk
Does it still BSOD, and if you can reach normal mode are there any(or many?) infection symptoms ?
From the observed infections you could benefit from running other scanners, and as there's no single scanner that can remove all nasties, it's worth trying the following ... i appreciate you have little spare time to troubleshoot this machine, but we're going to be around for a while.
Superantispyware:
http://www.superantispywar
If you have problems running any of the above, try the 'Stinger' which is a utility that cleans the system of viruses that block antivirus s/w.
http://vil.nai.com/vil/sti
Finally, if we find that we just cannot cleanup & fix all issues, it may be time to consider a clean install ... we're still a long way from that scenario, but just in case >
"Clean Install Windows XP":
http://www.michaelstevenst
Ok, i see you can reach the desktop!
From the observed infections you could benefit from running other scanners, and as there's no single scanner that can remove all nasties, it's worth trying the following ... i appreciate you have little spare time to troubleshoot this machine, but we're going to be around for a while.
Superantispyware:
http://www.superantispywar
If you have problems running any of the above, try the 'Stinger' which is a utility that cleans the system of viruses that block antivirus s/w.
http://vil.nai.com/vil/sti
Finally, if we find that we just cannot cleanup & fix all issues, it may be time to consider a clean install ... we're still a long way from that scenario, but just in case >
"Clean Install Windows XP":
http://www.michaelstevenst
Two more very capable scanners you could run>>
BitDefender Free Online Virus Scan:
http://www.bitdefender.com
Ensure you tick AutoClean, under Scan Options
Panda ActiveScan:
http://www.pandasoftware.c
Ensuring you tick Disinfect automatically, under Scan Options
From ComboFix log, note that there are still several malicious entries to be removed, here's one of them>
XCCEF090131.EXEMalicious Software:
http://www.prevx.com/filen
Then, if problems are still not resolved try running this ComboFix script on another Combo scan >>
1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
==========================
File::
c:\windows\system32\d3d8ca
c:\windows\system32\rtl60.
c:\windows\system\xccef090
c:\windows\system32\pcistu
Folder::
c:\documents and settings\Doina\Application
==========================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix, & hopefully the problem is removed.
5. Finally, please attach the newComboFix logfile.
You may find the updated instructions useful>>
http://www.bleepingcompute
Guys... horrible news...
So as i posted on my last thread.. i was able to get into my desktop... but now unfortunately when i came back from work one of the kids used the computer . So when i booted the computer... here it comes....
"windows could not start because the folllowing file is missing or corrupt:
System32\Drivers\Ntfs.sys
*Note: I cannot enter Safe Mode or anything else other than BIOS setup""
So it goes on telling me i can use system repair. Anyways i changed boot setings inserted my xp Cd. and now i was able to get into the cd, and it looked like system setup was working. After about 2-3 min of load time, the last step before loading windows setup was to load windows and thats where it comes:
STOP: 0x0000007E (0xC0000005, 0xF786B0BF, 0xF7CB7208, 0xF7CB6F08)
*** pci.sys - Address F786B0BF base at F7864000, DateStamp 3b7d855c
Im telling you guys.... this really stinks. I was thinking about re-formatting, but it looks like im out of luck since i can't even get into windows set-up on my cd. Could it be a memory problem since it says PCI? More problems after another... i'd really appreciate the help. Thanks guys.
Doesn't sound like it. That's just saying that it cannot load the pci.sys driver. Chances are if you wipe it and do a fresh install it will run fine. That error can be caused by any number of things. Memory is just one of them, but with your recent troubles I would say it's not bad memory. Just a messed up windows install.
Info on Stop error 0x0000007E <
http://aumha.org/a/stop.ht
As you probably realise, to resolve the problem you need to replace the missing Ntfs.sys file, and do need to be able to use the XP CD >
"Missing or corrupt Ntfs.sys" error
http://support.microsoft.c
Looks like a clean install is your best bet, but again you need that CD >
"Clean Install Windows XP":
http://www.michaelstevenst
it can also be bad hardware ; to check test if you can run from a live cd, like knoppix : www.knoppix.org
Your problem is that the SATA controller is set for AHCI mode and the easy answer is to enter the BIOS and change it to ATA or "Compatible" mode. Either that or you need to download the Intel Storage Manager software, create a floppy disk (yes you will have to have a floppy drive available), then use the F6 option in Windows setup to install the drivers from the floppy.
Its really much easier to change the BIOS!
On to the next problem.......
Good news is I'm passed the error!!! I streamlined a xp cd with sp3 on it.. But after clicking setup and then r for repair and on the next reboot it brought be into windows setup as if I'm reinstalling windows xp. Anyways it goes installing and as soon as it's at installing devices my USB devices are disabled. I get an error telling me my network adapter ha not passed the windows logo testing. Anyways my comp only has USB for mouse/ keyboard. And I can't clcik anything.
Note: USB works great until I get at re installing devices point in installation.
Note2: davismccarn... Thanks your solution worked! But here I am on another problem.
What is the manufacturer and model of the computer? We're into specifics so its needed.
Micro$oft, BTW, stopped certifying XP drivers when Vista was released so all newer drivers will give that "logo testing" error. Say, yes, "continue anyway".
If the system has PS/2 ports, I would advise scrounging up a keyboard and mouse to plug into them until Windows is setup.
Dell Dimension 9150
I would love to click ok but I'm stuck. No USB, so I have no mouse or keyboard. Also I have no PS/2 ports on my system :( . Like I said before the USB driver is disabled only when the windows setup gets to "installing devices".
Anyways I ordered a Oem backup disk hoping that I have all of the drivers on there for my computer and hopefully it can help.
If you have backed up everything you care about and have not changed the Hard Disk drive, CTRL-F11 at the Dell logo screen should launch the factory recovery.
http://support.de
From your description, I am fairly sure you did not tell XP's setup to format the drive which is why it is finding uncertified drivers. You should be able to get past it and be functional if you redo the installation and tell it to format the partition.
Go here and enter your service tag number to get everything there is on your computer:
http://support.de
i think you should run a repair install : http://www.michaelstevenst
STOP: 0x0000007E (0xC0000005, 0xF786B0BF, 0xF7CB7208, 0xF7CB6F08)
*** pci.sys - Address F786B0BF base at F7864000, DateStamp 3b7d855c
It's a message when you boot with a WinXP CD without ServicePacks on a brand new computer, since HT and Dual Core processors you must boot with XP Boot CD with SP2 or later.
Just for add some knowledge to your thread.
Business Accounts
Answer for Membership
by: chakkoPosted on 2009-03-04 at 20:16:07ID: 23802555
The fastest and easiest way to get up and running would be to try and use the System Restore tool and restore your PC to a point before the problem occurred.
System Restore tool can be at: Start - Programs - Accessories - System Tools -> System Restore
If you have a Restore Point saved you can restore it, then do another Full Scan of your system.
Also, AVG is not enough to find/remove any threats on your PC. I recommend you download and try using these also.
Spybot Search and Destroy
Combofix
Malwarebytes Anti-malware